Rustock botnet back after Christmas break

Emma Woollacott, 12th January 2011

Oh well, it was nice while it lasted. But, as feared, the Rustock botnet is back, heralding the arrival of millions more spam emails pushing Viagra and penis extension.

Along with two other botnets, Lethic and Xarvester, Rustock went quiet over the holiday season. But it seems that the spammers were simply digesting their Christmas dinner at leisure - and now they're back.

Rustock seems to have started up again on Monday and, say malware analyst Mathew Nisbet and anti-spam technologist Matt Sergeant of Symantec, is again taking the dubious honor of being the world's biggest source of spam. They say spam traffic on Monday was double that of the day before.

"True to form, Rustock is spewing mostly pharma spam with subjects like, "Dear [username] -80% now" The username is taken as whatever is before the @ symbol in the to address. This appears to be the "Pharmacy express" branding," they say.

During its little Christmas break, Rustock kept its hand in by continuing to carry out click fraud, using the botnet to simulate a click on a web page ad to gain automatic revenue from the advertisers.

"While levels of Rustock output appears marginally lower than before Christmas, we see no reason they won't reach those previous levels again, bringing global spam levels back up to the approximately 90 percent levels we had become so used to," say Nisbet and Sergeant.

Xarvester is also back, although its level of activity is much lower than Rustock's.

"It is too early to say what effect this will have on global spam levels, or if this return is permanent, but at the moment it certainly seems as if the holiday is over and it's now back to business as usual," they say.